just set up dovecot,

I set up dovecot and all is well, but before I decide that I want to set something up outside of my network, are all passwords secure? should I only use new created users with no special permissions? I setup dovecot.conf with

auth = default

and in default {} the default value is md5-digest

but when I try to select that option with evolution I get this:"unable to connect to POP server $Server_Name: no support for requested authentication mechanism"and it will only work on evolution if I pick "password" for authentication. Just wondering, I guess if this sends passwords in plain text, or if it is encrypted and why I cant choose md5-digest option with evolution...maybe someone could help me here.

I use dovecot with Mozilla mail, thunderbird, and HORDE IMP and I use plain as opposed to MD5 authentication. This means that passwords are encrypted with the standard crypt algoritm instead of with MD5 -- try that, it might work. Also, either the password or the encrypted hash is going to be sent in the clear unles you're using POP3/IMAP over SSL -- have you set up dovecot to work with SSL?

I have tried plain it is the only way it works, but in evolution I pick password does it still get encrypted? and about ssl no i have considered that but dont know much about it...could you point me in the direction to learn about it, I would not like to buy stuff from verisign, but it still works with out getting authentictation certificate right?
How do I create public/private keys?
Is it really worth doing all that or does plain encrypt enough that I shouldn't have to worry 2 much about security?
Anyways if you could like I said point me in the right direction for doing this, that would be great, when you do though please keep in mind I know little to nothing about SSL.

I did read the documentation on dovecot though and mkcert.sh and i got the following error

error on line -1 of dovecot-openssl.cnf
6468:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('dovecot-openssl.cnf','rb')
6468:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:107:
6468:error:0E064072:configuration file routines:CONF_load:no such file:conf_def.c:197:

also i am doing pop, server so in dovecot-openssl.cnf so i think i would have to change something there?

I am not sure whether the password gets encrypted in Evolution or at the server, but it doesn't particularly matter since it can just be sniffed off the wire and replayed either way. If your e-mail users also have shell access you really ought to go in for SSL. You don't need to pay VeriSign anything. In the doc directory of the dovecot source there is a script called mkcert.sh. You should edit the dovecot-openssl.cnf file and then run that script -- it will walk you through creating a SSL certificate. Then just enable pop3s and/or ipmaps (secure POP3/IMAP) in dovecot.conf, point it to the certificate, and you're set -- it's actually fairly easy. You'll need to tell your clients to trust your self-signed certificate.

ok i havent tested it yet, but i believe it is working, I just want to make sure permissions for private key should be 600, read and writeable by root thats all and public key read by every1 and writable by root?

ahh its not working...I saw certificate, though it didn't look very neat looking as far as what the output it gave me in evolution was, then when it asked for password it took a long time then finially returned this:

Error while 'Fetching Mail':
Unable to connect to POP server 192.168.2.4.
Error sending password: Unknown error

when I do nmap port 995/tcp is open which is pop3s.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

nvm it is working now, dont ask what i did wrong I am not quite sure, I redid keys and played around with it and somehow got it to work, still would like to know why wierd format of certificate though